带有Cloudflare的Tomcat/TomEE SSL配置 [英] Tomcat/TomEE SSL config with Cloudflare
问题描述
我一直无法使用cloudflare提供的SSL配置tomee的正确方法.第一次这样做,情况如下:
I have been having problems with the correct way to configure tomee with cloudflare provided SSL. First time doing this, so here is the situation:
1)首先,我创建密钥库文件:
1) First i create the keystore file:
keytool -keysize 2048 -genkey -alias tomee -keyalg RSA -keystore tomee.keystore
2)然后,我导入生成的密钥库:
2) Then i import the generated keystore:
keytool -importkeystore -srckeystore tomee.keystore -destkeystore tomee.keystore -deststoretype pkcs12
3)导入后,我创建用于发出证书请求的CSR文件:
3) After importing, I create the CSR file for issuing a certificate request:
keytool -certreq -keyalg RSA -alias tomee -file FQDN.csr -keystore tomee.keystore
4)然后,我进入cloudflare> ssl/tls>源服务器>创建证书>选择我有我自己的私钥和csr">然后将FDQN.csr内容粘贴到文本区域中>单击下一步>最后我收到PEM内容,并以FQDN.pem的形式保存在服务器上
4) Then i go into cloudflare > ssl/tls > origin server > create certificate > select "I have my own private key and csr" > then i paste the FDQN.csr content in the text area > click next > finally i receive the PEM contents which i save on my server as FQDN.pem
5)将FQDN.pem作为受信任的证书导入密钥库:
5) Import the FQDN.pem into the keystore as a trusted certificate:
keytool -import -alias tomee -keystore tomee.keystore -trustcacerts -file FQDN.pem
6)将tomee.keystore文件复制到tomee conf目录中
6) Copy the tomee.keystore file into the tomee conf dir
7)最后,我像这样配置server.xml:
7) Lastly I configure server.xml for tomee like so:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
compression="on" scheme="https" secure="true" keystoreFile="conf/tomee.keystore"
keystorePass="myPasswordHere"
SSLVerifyClient="none" SSLProtocol="TLSv1.2"
/>
8)在这里我遇到问题:重新启动tomcat并通过端口8443发出请求.它可以工作,但是证书显示为无效.并查看该证书,我得到:此CA Root证书不受信任,因为它不在受信任的根证书颁发机构存储中."
8) Here i encounter the problem: Restart tomcat and issue a request over port 8443. It works but the certificate shows as invalid. And viewing the certificate, I get this: "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."
如我所见,通过文档此处-添加Cloudflare原始CA根证书,我可能需要使用提供的文件添加其他配置.我理解正确还是我错过了什么?如果是这样-这些配置会是什么样子?我应该在server.xml文件中以演示格式来执行以下操作吗:(还是完全不同的事情?)
As i see, by documentation HERE - Add Cloudflare Origin CA root certificates, i may need to add additional configurations with the provided files. Do i understand correctly or am i missing something? If so - what would those configs look like? Should i be doing something like in the demonstrated format in the server.xml file, like so:( or is that a completely different thing?)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" xpoweredBy="false" server="Apache TomEE" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
有趣的是,在线上没有太多信息,而且我已经花了几天的时间来努力理解这个问题.对此有任何启发会有所帮助.
Interestingly there is not that much info on this online and i have been struggling to understand the problem for quite a few days now. Any light shed on this would be helpful.
对发布类似主题的人表示敬意这里
Kudos to people who posted a similar topic HERE
推荐答案
已成功解决.对于任何有兴趣的人,有2个问题:
Managed to solve it. To anyone interested, there were 2 problems:
1)在对tomcat/tomee Web服务器执行步骤5)之前,您需要添加受信任的根证书,并使用
1) Before performing step 5) for tomcat/tomee webservers, you need to add a trusted root certificate, with the cloudflare provided key from HERE(Configure the SSL/TLS mode in the Cloudflare SSL/TLS app).
keytool -import -alias root -keystore tomee.keystore -trustcacerts -file origin_ca_rsa_root.pem
然后像5)中一样将别名rsa添加到密钥库中.
Then add your aliased rsa to the keystore as in 5).
2)另一个问题是在cloudflare DNS设置上忽略了CN配置,因此请检查您的配置.
2) Other problem was with an overlooked CN config on cloudflare DNS settings, so check your configs.
希望这对某人有帮助:)
Hope this helps someone :)
这篇关于带有Cloudflare的Tomcat/TomEE SSL配置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
